Technical Tip: Configuring Dial-Up IPsec VPN with IKEv2 on Windows 11 and FortiGate

montyadams · ‎08-05-2025

Description This article describes the required configuration to establish a dial-up IPsec VPN using IKEv2 between a Windows 11 device and a FortiGate firewall. It includes settings for VPN phase configuration, user authentication, and proposal compatibility with the built-in Windows VPN client.

Scope FortiGate configured with IKEv2 IPsec VPN for remote access and Windows 11 devices using the native IKEv2 VPN client.

Solution

FortiGate Configuration.

Phase 1 Interface (IKEv2 Dial-Up):

config vpn ipsec phase1-interface
    edit "win11-dialup"
        set interface "wan1"
        set ike-version 2
        set type dynamic
        set peertype any
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 14
        set psksecret "StrongPasswordHere"
    next
end

Mode Configuration Settings:

config vpn ipsec phase1-interface
    edit "win11-dialup"
        set mode-cfg enable
        set ipv4-start-ip 10.10.10.10
        set ipv4-end-ip 10.10.10.20
        set dns-mode manual
        set ipv4-dns-server1 8.8.8.8
    next
end

Phase 2 Configuration:

config vpn ipsec phase2-interface
    edit "win11-dialup-p2"
        set phase1name "win11-dialup"
        set proposal aes256-sha256
        set pfs disable
        set src-subnet 0.0.0.0/0
        set dst-subnet 10.10.10.0/24
    next
end

User and Group Configuration:

config user local
    edit "vpnuser"
        set type password
        set passwd "UserPasswordHere"
    next
end

config user group
    edit "ikev2-group"
        set member "vpnuser"
    next
end

config vpn ipsec phase1-interface
    edit "win11-dialup"
        set authusrgrp "ikev2-group"
    next
end

Firewall Policy:

config firewall policy
    edit 0
        set name "IKEv2-Win11"
        set srcintf "win11-dialup"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule always
        set service ALL
        set logtraffic all
    next
end

Windows 11 VPN Client Configuration:

Select Settings -> Network & Internet -> VPN -> Add a VPN.
VPN provider: Windows (built-in)
Connection name: FortiGate-IKEv2
Server name or address: Public IP or FQDN of FortiGate
VPN type: IKEv2
Sign-in method: Username and password
Enter FortiGate username and password created earlier

Optional: Registry Key for NAT-T:

When FortiGate is behind NAT, use the following registry key on the Windows client to ensure compatibility:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"NegotiateDH2048_AES256"=dword:00000001

Reboot is required after applying the key.

Proposal Compatibility:

Ensure proposals used on the FortiGate match what is supported by Windows IKEv2 client:

Encryption: AES128, AES256.
Authentication: SHA1, SHA256.
DH Groups: 2, 14, 24.

Recommended: 'aes256-sha256' and 'dhgrp 14'.

Troubleshooting Tips:

Symptom	Cause / Action
VPN fails to connect	Check IKE version and matching proposals Technical Tip: VPN IPSEC DIAL UP does not work with the same DH groups
No IP assigned to client	Ensure mode-cfg is enabled Technical Tip: IPv4 address exhaustion in ike mode-cfg
No traffic after connection	Verify firewall policy and routing Troubleshooting Tip: Connected to Dialup IPsec Tunnel but Traffic Hitting Implicit Deny Policy
Authentication fails	Validate user and group configuration Technical Tip: Error 'EAP failure' with IPsec Dial-Up VPN using remote groups

GILMENDO · ‎08-05-2025

great job monty!

Technical Tip: Configuring Dial-Up IPsec VPN with IKEv2 on Windows 11 and FortiGate

You are leaving our website